Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijacker that diverts my homepage


  • Please log in to reply

#1
MSH69

MSH69

    New Member

  • Member
  • Pip
  • 1 posts
My homepage has been changed to hijacker website. I cannot get it removed from my system. Please help


I have used pest patrol to detect why my homepage is diverted to www.wow.access.com/serach/main.html.
Also when it hides behind "www.microsoet.com/start/php?url=" it diverts yahoo.com & google.com by using this address.
It says the program lies in the file: C:\windows\stsheets.dat , however, this does not show up in windows explorer.

Here are the findings of pest patrol:
Catagory: Hijacker
Author: coolwebsearch.com
Release date: 1/25/05
In FILE: C:\windows\stsheets.dat
PVT: -1323859766
MD5: 482aee62ac99e5064e074670a97f5741

I have ran "NoAdware" it does not detect it at all.

The following is my "Hijack This" log:

Logfile of HijackThis v1.99.1
Scan saved at 8:51:46 PM, on 5/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
C:\windows\system32\winpipe.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\secmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wow-acces...earch/main.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wow-acces...earch/main.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wow-acces...earch/main.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.wow-acces...earch/main.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.wow-acces...earch/main.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wow-acces...earch/main.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wow-acces...earch/main.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.wow-acces...earch/main.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.wow-acces...earch/main.html
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [winpipe] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\secmon.exe
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /1
O4 - HKCU\..\Run: [NoAdware] "C:\Program Files\NoAdware3\NoAdware.exe" /s
O4 - HKCU\..\RunOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: secmon.exe
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll (file missing)
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\Program Files\ShopperReports\Bin\1.0.4.0\ShprRprt.dll (file missing)
O13 - DefaultPrefix: http://www.microsoet.../start.php?url=
O13 - WWW Prefix: http://www.microsoet.../start.php?url=
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Any assistance will be greatly appreciated in eradicating this hijacker!!!
Thank-you!
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP